[keycloak-dev] min-time-between-jwks-requests Problems when running tests

Marek Posolda mposolda at redhat.com
Thu Mar 2 06:26:13 EST 2017

On 02/03/17 10:08, Marek Posolda wrote:
> On 02/03/17 00:29, Bill Burke wrote:
>> Ok, I just spent 1.5 days on debugging a problem and I was ready to
>> throw my Laptop out of the window I was getting so frustrated.
>> #1 I copied code from the arquillian adapter tests to deploy my own
>> servlet.  When running in IntelliJ, all logging messages by the servlet
>> and OIDC adapters were eaten and never displayed.
> Keycloak logging disabled in
> testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
> . AFAIK it's disabled just because running whole testsuite produces very
> big logs, which caused issues with travis.
> I hope it's possible to fix that and have Keycloak logging enabled when
> running from IDE, but still keep it disabled when running from command
> line with "mvn" command. Will try to look into it. Created :
> https://issues.jboss.org/browse/KEYCLOAK-4520
Fixed now. Logging for both server and adapters is enabled now when 
running test from IDE.

>> #2 If you have a @Deployment it deploys it in @BeforeClass and only once
>> for all tests run in the class
>> #3 I  recreate/destroy my realms for every test
>> #4 The default "min-time-between-jwks-requests" is 10 seconds...Because
>> my servlet doesn't get redeployed per test, the 1st test would set up
>> the cache for the realm key for the servlet.  The 2nd test would run,
>> because the realms were recreated, there is a different key, but the
>> min-time-between-jwkds-requests was 10 seconds so it wasn't updating the
>> key and my logins would fail.  This was extermely frustrating to debug
>> because of #1 and because it only happened if I was running all tests in
>> the class.
>> The workaround is to set "min-time-between-jwks-requests" to zero in
>> your adapter configuration.  This is an FYI just in case somebody else
>> runs into this.  Took me awhile to figure out.
> Another possibility is to put private/public keys into your realm JSON.
> Then there is always same keys and same "kid" and application doesn't
> need to re-download it.
> FYI. with my latest changes, there is no realm reimport for every test
> for most of the tests (see other thread I sent yesterday). But
> unfortunately this is not yet the case for Adapter tests (subclasses of
> AbstractAdapterTest)...
> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list